# T1612 - Build Image on Host
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1612)
<blockquote>

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. 

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Build Image On Host](#atomic-test-1---build-image-on-host)


<br/>

## Atomic Test #1 - Build Image On Host
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.

**Supported Platforms:** Containers


**auto_generated_guid:** 2db30061-589d-409b-b125-7b473944f9b3






#### Attack Commands: Run with `sh`! 


```sh
docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
docker run --name t1612_container --rm -d -t t1612
docker exec t1612_container ./test.sh
```

#### Cleanup Commands:
```sh
docker stop t1612_container
docker rmi -f t1612
```



#### Dependencies:  Run with `sh`!
##### Description: Verify docker is installed.
##### Check Prereq Commands:
```sh
which docker
```
##### Get Prereq Commands:
```sh
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
```
##### Description: Verify docker service is running.
##### Check Prereq Commands:
```sh
sudo systemctl status docker  --no-pager
```
##### Get Prereq Commands:
```sh
sudo systemctl start docker
```




<br/>